SCION-Book.Pdf

SCION-Book.Pdf

SCION: A Secure Internet Architecture Adrian Pawel Raphael M. Laurent Perrig Szalachowski Reischuk Chuat ETH Zurich 30th August, 2017 ii iii To Miyoung, Thank you for your unwavering support. Love, forever! Adrian To Henio, For all these sleepless nights. Paweł To my family and those who supported me along my way. Raphael To Manon, For your patience and encouragement. Laurent Contents Foreword xi Preface xv I Overview 1 1 Introduction 3 1.1 Today’s Internet . .3 1.2 Goals of a Secure Internet Architecture . .8 1.3 Future Internet Architectures . 13 2 The SCION Architecture 17 2.1 Control Plane . 21 2.2 Data Plane . 25 2.3 Security Aspects . 27 2.4 Use Cases . 31 2.5 Incentives for Stakeholders . 34 2.6 Deployment . 36 2.7 Extensions . 39 2.8 Main Contributions . 39 3 Isolation Domains (ISDs) 43 3.1 Why Isolation? . 43 3.2 The ISD Core . 47 3.3 Coordination Among ISDs . 48 3.4 Name Resolution . 48 3.5 ISD Governance Models . 51 3.6 Nested Isolation Domains . 56 II SCION in Detail 59 4 Authentication Infrastructure 61 4.1 Overview . 61 4.2 Control-Plane Authentication . 68 4.3 Name Authentication . 83 4.4 End-Entity Authentication . 86 vii Contents 5 ISD Coordination 93 5.1 Motivation and Objectives . 94 5.2 Announcing and Discovering New ISDs . 97 5.3 Local Resolution of Conflicts . 100 6 Name Resolution 101 6.1 Background . 102 6.2 Name Resolution Architecture . 104 6.3 Naming Information Model . 106 6.4 The RAINS Protocol . 114 6.5 The Naming Consistency Observer (NCO) . 116 7 Control Plane 119 7.1 Path Exploration and Registration . 119 7.2 Path Lookup . 132 7.3 Secure Path Revocation . 138 7.4 Failure Resilience and Service Discovery . 146 7.5 AS-Level Anycast Service . 153 7.6 SCION Control Message Protocol (SCMP) . 155 7.7 Time Synchronization . 159 8 Data Plane 161 8.1 Path Format . 162 8.2 Creation of Forwarding Paths . 164 8.3 Efficient Path Construction . 174 9 Host Structure 179 9.1 SCION Dispatcher . 179 9.2 SCION Daemon . 183 9.3 Transmission Control Protocol (TCP/SCION) . 185 9.4 SCION Stream Protocol (SSP) . 188 10 Deployment and Operation 191 10.1 ISP Deployment . 191 10.2 End-Domain Deployment . 199 10.3 The SCION-IP Gateway (SIG) . 201 10.4 How to Try Out SCION . 211 10.5 SCION AS Management Framework . 215 10.6 Deploying a New AS . 218 10.7 The SCIONLab Experimentation Environment . 220 10.8 Example: Life of a SCION Data Packet . 223 10.9 SCION Path Policy . 230 viii Contents III Extensions 241 11 SIBRA 243 11.1 Motivation and Introduction . 244 11.2 Goals and Adversary Model . 245 11.3 Design Overview . 247 11.4 SIBRA Core Paths . 250 11.5 SIBRA Steady Paths . 259 11.6 SIBRA Ephemeral Paths . 261 11.7 Priority Traffic Monitoring and Policing . 268 11.8 Use Cases . 272 11.9 Discussion . 273 11.10 Further Reading . 276 12 OPT and DRKey 279 12.1 Introduction . 280 12.2 OPT Problem Definition . 281 12.3 OPT Design Overview . 283 12.4 OPT Protocol Description . 286 12.5 Dynamically Recreatable Keys (DRKey) . 291 IV Analysis and Evaluation 299 13 Security Analysis 301 13.1 Security Goals . 302 13.2 Threat Model . 304 13.3 Software Security . 305 13.4 Control-Plane Path Manipulation . 307 13.5 Data-Plane Path Manipulation . 312 13.6 Censorship and Surveillance . 318 13.7 Attacks Against Availability . 320 13.8 Absence of Kill Switches . 325 13.9 Resilience to Path Hijacking . 327 13.10 Summary . 330 14 Power Consumption 331 14.1 Modeling Power Consumption of an FIA Router . 332 14.2 Simulation . 334 V Specification 339 15 Packet and Message Formats 341 15.1 SCION Packet . 341 ix Contents 15.2 Control Plane . 355 15.3 PCB and Path Segment . 356 15.4 Path Management Messages . 361 15.5 PKI Interactions . 362 15.6 SCMP Packet . 363 16 Configuration File Formats 369 16.1 Trust Root Configuration . 369 16.2 AS Certificates . 370 16.3 Discovery Service Configuration . 374 16.4 Router, Server, and End-Host Configuration . 376 17 Cryptographic Algorithms 381 17.1 Algorithm Agility . 381 17.2 Symmetric Primitives . 384 17.3 Asymmetric Primitives . 385 17.4 Post-Quantum Cryptography . 386 Bibliography 387 Frequently Asked Questions 409 Glossary 417 Abbreviations 421 Index 423 x Foreword VIRGIL GLIGOR (CARNEGIE MELLON UNIVERSITY) Despite having worked with Adrian Perrig for a few years at Carnegie Mellon University’s CyLab, where he embarked on the task of developing a secure architecture for the Internet, I had had no in-depth exposure to SCION until I attended a presentation he gave at Singapore Management University in late 2010. Entitled “SCI-FI: Secure Communication Infrastructure for a Future Internet,” his talk described the early project that was to become SCION. The audience reaction was predictable and all too familiar: you can’t change the Internet; its foundation is immutable! But in fact it had been clear for a long time that the Internet design had to change, as security cracks had gradually been appearing in its foundation since its early days. By the mid-1980s, it was obvious that the denial-of- service problem was not effectively addressed by Internet protocols. By the mid-90s, it was clear that BGP was prone to cascading instability, and by the mid-2000s distributed denial of service had become a predictable Internet “feature.” Other security issues arose, such as prefix hijacking, IP source address spoofing, and packet-content alteration. Even when cryptographic protocols, such as SSL/TLS, were finally applied in response to e-commerce pressure, their worldwide deployment was more an exception than the rule. Besides, the public-key infrastructure (PKI) supporting SSL/TLS continues to be extremely fragile. As the Internet has expanded in size and use, security problems have become increasingly severe: both organized crime and nation states have started to launch massive attacks for economic or political gain. Despite repeated wake-up calls for Internet redesign, the response has gener- ally been something of a “boiling frogs” reaction: the severity of the problems has continued to increase relentlessly, but perception of the enormous effort re- quired to solve them has blocked, frustrated and foiled any impulse for redesign from ground up. Over the past decade, it has become clear that security is a fundamental problem of Internet design, but it remains a secondary concern. So against that background, the audience reaction to Adrian Perrig’s 2010 SCI-FI presentation in Singapore was only to be expected. Since my first exposure to SCION, I have been impressed with several of its innovative ideas and new properties. For instance, the concept of isolation xi Foreword domains provides control-plane protection and simplifies construction of PKI infrastructures due to the natural scoping of trust roots. (Although a concept similar to that of isolation domains was considered for the initial Internet design, the focus in that early phase was on getting the network to function at scale before introducing hierarchical decomposition mechanisms.) SCION’s con- cepts of transparency and control, which weave through the entire architecture, result in many desirable properties, e.g., both high-performance and multipath communication for hosts. Also, cryptographically protected packet-carried forwarding state brings forwarding-path authorization without incurring any router-state cost. SCION’s architecture integrates these concepts seamlessly into a coherent secure system. This book offers a fascinating view of both the high-level concepts that drive SCION’s design and its implementation, and it leads the reader to draw some surprising new conclusions. Contrary to the common belief that security causes a loss of performance, several SCION operations are efficient despite performing cryptographic opera- tions; e.g., SCION packet forwarding can be faster and require less energy than IP forwarding. This suggests that redesigning the Internet can be rewarding in more areas than security. I am not aware of any other project that has gone so deeply and broadly in redesigning an entire secure Internet architecture. The SCION project contradicts another widely held opinion in demonstrating that deployment of a new Internet architecture at scale is in fact possible. This book illustrates the basic ingredients of deployment success: SCION has provided a multitude of incentives for ISPs and end domains, so that local deployment can already provide benefits to early adopters. The book also describes some of SCION’s secret deployment sauce: keep the updates of the current routing infrastructure of both ISPs and end domains to a minimum, and reuse the existing intra-domain communication to the maximum extent. It should not be surprising that (e.g., Swiss) ISPs have already found it possible to deploy SCION routers in their core infrastructure and develop new services on it. Contrary to another common belief, a single Internet architecture can en- able integrated defenses against multiple types of attacks, as opposed to one which requires piecemeal solutions. In my opinion, the SCION architecture is unique in this sense, and this book illustrates the fact through the solutions it describes to long-standing problems. For example, SCION provides these unique properties: • Global security without any global root of trust. This implies that a global “kill switch,” an unavoidable feature of other secure network architectures, is not possible in SCION. • Control-plane functions for secure path withdrawals and control messages. Although any network can always cryptographically sign messages in an xii attempt to achieve secure operation, SCION secures the control plane in a very efficient way while enabling high-speed router operation. • Global resource allocation without requiring per-flow or per-computation fairness mechanisms.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    453 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us